September 26, 2025 • 17 mins
Submit any questions you would like answered on the podcast!
Worried about mishandling Controlled Unclassified Information (CUI)?
In this episode of the CMMC Compliance Guide Podcast, Brooke and Stacey break down what CUI really is, why it matters in defense contracting, and the biggest mistakes contractors make when handling it.
You’ll also learn the real-world risks of CUI mishandling, how assessors check compliance during a CMMC Level 2 assessment, and the low-cost, practical solutions you can implement right now to protect sensitive data.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Stacey (00:00):
Hey there.
Welcome to the CMMC ComplianceGuide Podcast.
I'm Stacy from Justice ITConsulting, where we help
businesses like yours navigateCMMC and NIST 800-171
compliance.
We're hired guns gettingcompanies fast tracked to
compliance, but today we're hereto give you all the secrets for
free.
So if you want to tackle ityourself, you're equipped to do
(00:20):
so.
Let's dive into today's episodeand keep your business on
track.
Today's episode is all aboutcontrolled and classified
information or CUI.
We're going to talk about whatit really is, why it matters,
and the most common mistakescontractors make when handling
it.
If you've ever worried aboutaccidentally mishandling
sensitive data, this one's foryou.
All right, Brooke, let's startsimple.
Brooke (00:41):
Alrighty, let's do.
Stacey (00:42):
What exactly is CUI and why does it matter so much in
defense contracting?
Brooke (00:46):
Well, CUI is unclassified but uh controlled
information that the governmentpossesses or creates that
requires safeguarding ordissemination controls to those
with a lawful government purposefor handling that CUI.
That's what CUI actually is.
I think probably the uh theline share of CUI is going to be
controlled technical data.
So it's gonna be drawings, it'sgonna be specifications, it's
(01:08):
gonna be uh anything related toall that.
But it could also be uhdepending on what you do with
the uh with the Department ofDefense, it could be uh
personally identifiable uhinformation, PI, or it could be
uh a lot of uh electronic healthuh uh personal health
(01:28):
information, EPHI.
Uh could be any of thosethings.
So there's there's a wholegiant long list of uh of CUI
classifications, but really forthe DOD, the line share of that
is gonna be controlled technicalinformation, which is like I
say gonna be drawingspecifications, uh things like
that that result frommanufacturing things.
Stacey (01:49):
So, Brooke, what are the biggest mistakes you see
companies make when handlingCUI?
Brooke (01:54):
Uh the biggest mistakes, uh you know the the probably
the biggest mistake is sendingCUI unencrypted through email.
They get it unencrypted, theyknow it's CUI or think it's CUI,
uh, or maybe if it it's evenmarked, but if they get it
through email, they just goahead and send it through email.
So um uh mishandling that CUIthrough email is is probably the
(02:14):
biggest thing uh that we see.
Uh so really you have a a dutyto say if you get something that
is that looks like CUI, and youhave a duty to say, hey, Mr.
Contracting Officer or Mrs.
Contracting Officer, thisdocument you sent or this email
you sent uh sure looks like CUI.
Uh is this is this in fact CUIor is it not?
So uh they should be able toanswer and say, you know, no,
(02:37):
it's not, or yes, it is, andfrom there you can say, well,
it's not marked.
Uh can you mark it properly?
And so they should mark it andsend it back.
Probably the next biggestbiggest thing would be uh just
storing all your CUI witheverything else, right?
On your on your network, inyour environment, in your if you
have an enclave, if you have aCUI enclave, you're probably
(02:58):
already aware and splitting itout.
Um but CUI access needs to belimited to those who who uh
should have access to that CUI.
In other words, HR shouldn'thave it, probably.
I don't see why they would, butdepending on and if your HR
person is also a uh machinist,then you know maybe so.
(03:20):
But uh or you know, if your HRdoes other things, uh maybe they
do.
But it depends on how big yourorganization is or or rather how
small it is.
Uh, you know, accountingprobably shouldn't have it.
Uh if there's somebody thatonly works on commercial
projects and has nothing to dowith the Department of Defense
projects, they should be scopedout.
They should not be have accessto that.
So having access to uh CUI onpersonal devices, so you have a
(03:45):
phone, uh you have email on it,and maybe you have uh access to
OneDriver SharePoint, and and uhlo and behold, you can get it
all get to all that CUI on yourmobile device, and nobody ever
thinks about the phones, thecell phones.
Uh, you know, so they uh theyjust don't even think those,
they don't scope those in, anduh lo and behold, a lot of those
have access to that CUI.
(04:05):
And so if they they haveaccess, if you're not gonna
scope out those phones, thenthey have to be they have to be
controlled.
They have to meet the all theapplicable 110 controls and 320
assessment objectives.
Uh so that's another really bigone.
Making sure that uh f flow downoccurs.
So not only in yourorganization, but if you
(04:27):
subcontract out uh somesomething, you know, most people
subcontract out something.
They don't do everything justlike Lockheed and Raytheon and
all them subcontract, they, youknow, you'll you'll probably
subcontract out some pieces too.
And uh anything that is CUIthat is subcontracted out, they
have to be the same level asyou're supposed to be.
(04:50):
So uh and the flow down rulesays that you're supposed to
make sure that they're thatthey're the same level as you.
That doesn't mean you have togo assess their environment.
Uh but if you have to have, ifyou're supposed to meet DFARS
252-204-7012, then they do too.
You know, if they have to belevel two certified, or if you'd
(05:13):
have to be level two certified,so they do they.
So there are some caveats tothat.
You know, if you are sure, 100%sure that what you are sending
them is just off-the-shelf stuffand has nothing to do with uh
any CUI and they they don't getanything, any information that
could be even misconstrued asCUI, then that probab that may
(05:35):
be an off-the-shelf item andthey may not have to be.
But you're gonna have to makesure that you that's documented
and if it's part of thatproject, you're gonna have to
make sure that you know anddocument that.
So those are the biggest thingsthat uh that we see with uh
mishandling CUI.
Stacey (05:49):
Now that we've covered those big mistakes, what happens
if a contractor mishandled CUI?
Brooke (05:55):
Well, there's a mil about a million things that can
happen, but uh you know, one ofthe things that can happen is if
uh you send it through emailand and uh somebody's email is
compromised, then you know thatthat becomes a really big deal.
You know, there's uh there'llbe a cyber incident opened up,
it'll be investigated, uh thewhole nine yards.
So if it's investigated andsomebody figures out if the
(06:16):
government figures out that uhyou did something wrong, then uh
you very well may be fined.
I mean there's there's finesout there in the millions of
dollars right now uh to uh topeople that have uh two
companies that have uhmishandled this.
You could lose your contract,um you could lose your then the
way you'd lose your contract isthat you uh you may no longer
(06:36):
meet all the 110 controls thatyou said you met.
Uh and uh if that's not thecase, then this and this
contract requires that, then youmay lose that contract, or you
may not be able to get any newcontracts.
Uh you know, whatever the casemay be.
If it's something that theydetermine that you said you were
doing and you're they determinethat you're just plain not
(06:58):
doing it, uh then that is afalse claims act.
And a false claims act, again,there's there's plenty of
examples out there of uh falseclaims act and those are there's
plenty of those that are in themillions of dollars of uh of
fines right now as well.
So there could could bedepending on what it is, there
could be jail time too.
Don't know.
(07:18):
They'd probably have to bepretty serious, I would hope.
Uh but uh but they've theyhaven't ruled that out, so there
could be jail time as well.
If you're trying to getassessed and uh the assessor
discovers through their youknow, examine interview and and
test not quite coveringsomething like you said you
would be, uh like you said youare, uh or maybe you just didn't
(07:40):
say you are and you should be,they it could uh cause you to
fail an assessment as well.
And that's a big deal alsobecause of all the previous
things.
Loss of contract, uh uh loss offuture contracts, etc.
Stacey (07:54):
When a contractor goes through a CMMC level two
assessment, how do assessorscheck CUI handling?
Brooke (08:00):
The basic method is they'll examine, interview, uh,
and or test.
So they don't necessarily haveto do all three of these things
for each control or each uhassessment objective, but they
have all three of thoseavailable to them.
Sometimes it doesn't make senseto do all three uh or one of
them or something like that.
But uh they do have those uhthree options.
So examine, they'll examineyour policies, your plans, and
(08:22):
your procedures, uh, they'llexamine your proof, you know,
any list or anything that youhave, they'll examine all that,
test MFA is required to accessyour uh, for instance, MFA is
required to access your CUI,then they'll say, hey, log on
and let me see that you in factdo have MFA turned on.
You'll log in, you'll do yourMFA, and they'll go, Great,
(08:43):
thank you very much.
Uh interview.
Uh they they'll interview you,they'll interview your staff.
Uh there won't be any surpriseshere.
They'll they'll work all thisout with you ahead of time.
You know, uh you'll say, Here'smy scope, here's my initial set
of documentation for you, uh,and the people that are in
scope, and they'll say, Allright, well, we want to talk to
(09:04):
uh A, B, C, D, and E, right?
And so uh you'll know that,you'll approve that, or you can
say, Hey, well Johnny's gonna beout on vacation for the next
two months or whatever it mightbe, and uh and so they'll choose
somebody else.
So uh but you'll work all thatout ahead of time, and there's
no sub shouldn't be anysurprises about any of that.
But that's how they determinewhether you're uh how you're
(09:26):
handling CUI and whether you'remishandling handling it or not.
Stacey (09:30):
Let's talk solutions.
What are some of the low-cost,practical, best practices small
contractors can use to handleCUI the right way?
Brooke (09:40):
Sure.
Uh so um probably one of thebest things you can do, if you
can do it, not everybody can,but is to create a CUI enclave.
And we've talked about aboutthat ad nauseum.
And I'm I'm if you look for youknow how to implement a CMMC
somewhere, there'll be somethingabout uh a CUI enclave.
(10:00):
So sometimes it makes sense,sometimes it doesn't.
Uh some sort of CUI enclavemakes sense, whether it's you
know, really small uh orincorporates everybody.
If it incorporates everybody,that's more likely to be a uh
small uh company.
Um where you know people wear alot of hats.
(10:21):
Uh if you're in a largercompany, it's a lot easier to
separate out those jobs that arein it.
Well, it's more easy it's moreeasy to separate those jobs out
that are CUI versus the onesthat are not.
So it's easier to do that.
Uh but it also depends on howmuch of your business is is DOD
work and see and include CUI.
Uh so creating an enclave isprobably the the easiest single
(10:46):
thing to do to minimize cost.
Kind of on the enclave uhsoapbox, there's a million
different ways to do that.
If you can uh but there arethere are some better ways to um
uh to implement that that are alittle lower cost than others.
Um we'll just I'll go ahead andsay it Provela is one of those.
(11:08):
It may or may not fit you.
You need to make sure you lookinto it and understand it and
see if it it'll work for you ornot.
But uh that's a lower costsolution that may work for for
you for CUI, uh CUI Enclave.
Uh limiting access, whetherit's through uh an enclave tool
like that or um or just a uhserver uh uh on site, then uh
(11:34):
make sure you limit accessappropriately and and uh again
limit that to only the peoplethat need access.
Uh if you do have a server onsite, you know, s uh a good idea
is to uh separate out uh thedata, uh commercial data from
the DOD data, uh put them on twodifferent virtual servers.
(11:54):
That'd be a really easy thingto do, you know.
Uh sometimes you'll run acrosssome controls that you don't
really want to implement foryour uh commercial data and that
you need to for your CUI data.
And if you split it out, uhvirtual server uh as a virtual
machine is an easy thing tocreate, an easy thing to spool
up.
Um I'd say you you can do thatalso in uh in the cloud as well,
(12:19):
but we're talking about lowercost solutions and the cloud,
although it's uh ongoing thecost is easier to uh handle uh
than a new server or something.
Uh cloud is is not cheaper.
So it's it'll be more expensivein the end.
And then when you documenteverything, uh work very hard to
make sure that you keep uheverything very, very organized.
(12:42):
And it may see counter it mayseem excuse me, it may seem uh
counterintuitive, uh, but reallyuh a GRC tool helps you do
that.
That is another expense.
So uh you have to considerthat, but uh consider the fact
of you know what happens withyour documents.
You always over time you alwayshave document sprawl and uh you
(13:06):
know your folders get put indifferent places, your you know,
your versions of documents growand and you know it gets it
gets hard to handle.
And this when you do all yourdocumentation properly with uh
uh CMMC, it's not gonna just be,you know, 15 documents.
It's it's more likely gonna be,you know, 40 or 50 or more
(13:28):
documents, you know.
Uh so especially when you startadding in all your proof and
everything else, it's gonna be alot more than that.
Uh so uh all that uh that leadsto document sprawl.
Easy way to handle that is in aGRC tool.
And personally, I think in theend, uh it'll up end up saving
you some money or at the veryleast some headache and some
(13:50):
time, which time is money.
So you have to figure that out.
You know, what do you chargeother people for your time and
figure out if it's uh if it'sworth it or not?
So I happen to think it's worthit.
Other people may not, but uh uhthat's my that's my two cents
right there.
Stacey (14:06):
Are there any recent updates or enforcement actions
contractors should have on theirradar?
Brooke (14:11):
There is.
So we talked about it in thelast uh podcast, and I think
that one is up uh and ready toshare.
So yeah, okay, Stacy agrees.
It's Stacy's the one that putit up, so she knows.
Uh so the 48 CFR uh has beenpublished uh and uh so it's it's
live, uh the clock is ticking,uh it goes into effect on
(14:32):
November 10th.
Uh for the 48 CFR again is theone that puts CMMC in effect on
contracts.
Uh so there are four phases tothat.
The first year uh starting onNovember 10th of 2025.
Uh basically what you're doingright now.
Uh you have to self uhself-attest uh that you're doing
(14:54):
what you say you're doing.
Uh poems are limited to 180days, uh, all sorts of fun
stuff, but you have a year to dothat until November 11th, 2026,
uh November 10th, 2026.
And when that will be uh thelevel two certifications will
start being required oncontracts.
Again, there's some caveats tothat.
There may be some uh somerequirements by uh prime
(15:18):
contractors or something for youto get yours earlier.
The government did leave alittle wiggle room for
themselves, they could require alittle earlier on a contract or
two here or there or later.
So uh but bait that's thebasics of that 48 CFR.
So that 48 CFR is a big one.
So the FARCUI rule, I believe,is in the uh proposed stage
(15:39):
still, uh if I recall properly.
Um but it's basically uhthey've always said they wanted
to take this whole CMMC idea anduh get the DOD going on it and
use the DOD as guinea pigs, Iguess, and uh and then roll it
out to the rest of the federalgovernment.
Uh who knows exactly how tolook, but they want to control
(16:00):
that CUI, right?
Um and so uh they're rollingout the CUI rule uh to the rest
of the government, and that thatkind of kicks off the process
of some CMMC like uh rule forthe rest of the federal
government, and that's big umand it'll be a big change.
So we'll see how well thatgoes.
(16:21):
But uh that's that's the bigthing coming.
Stacey (16:24):
If you have any questions about what we covered,
reach out to us.
We're here to fast track yourcompliance journey.
Text, email, or call in yourquestions, and we'll answer them
for free here on the podcast.
You can find our contactinformation at cmc compliance
guide.com.
Stay tuned for our nextepisode.
Until then, stay compliant,stay secure, and make sure to
subscribe.
Hey there.
Welcome to the CMMC ComplianceGuide Podcast.
I'm Stacy from Justice ITConsulting, where we help
businesses like yours navigateCMMC and NIST 800-171
compliance.
We're hired guns gettingcompanies fast tracked to
compliance, but today we're hereto give you all the secrets for
free.
So if you want to tackle ityourself, you're equipped to do
(00:20):
so.
Let's dive into today's episodeand keep your business on
track.
Today's episode is all aboutcontrolled and classified
information or CUI.
We're going to talk about whatit really is, why it matters,
and the most common mistakescontractors make when handling
it.
If you've ever worried aboutaccidentally mishandling
sensitive data, this one's foryou.
All right, Brooke, let's startsimple.
Brooke (00:41):
Alrighty, let's do.
Stacey (00:42):
What exactly is CUI and why does it matter so much in
defense contracting?
Brooke (00:46):
Well, CUI is unclassified but uh controlled
information that the governmentpossesses or creates that
requires safeguarding ordissemination controls to those
with a lawful government purposefor handling that CUI.
That's what CUI actually is.
I think probably the uh theline share of CUI is going to be
controlled technical data.
So it's gonna be drawings, it'sgonna be specifications, it's
(01:08):
gonna be uh anything related toall that.
But it could also be uhdepending on what you do with
the uh with the Department ofDefense, it could be uh
personally identifiable uhinformation, PI, or it could be
uh a lot of uh electronic healthuh uh personal health
(01:28):
information, EPHI.
Uh could be any of thosethings.
So there's there's a wholegiant long list of uh of CUI
classifications, but really forthe DOD, the line share of that
is gonna be controlled technicalinformation, which is like I
say gonna be drawingspecifications, uh things like
that that result frommanufacturing things.
Stacey (01:49):
So, Brooke, what are the biggest mistakes you see
companies make when handlingCUI?
Brooke (01:54):
Uh the biggest mistakes, uh you know the the probably
the biggest mistake is sendingCUI unencrypted through email.
They get it unencrypted, theyknow it's CUI or think it's CUI,
uh, or maybe if it it's evenmarked, but if they get it
through email, they just goahead and send it through email.
So um uh mishandling that CUIthrough email is is probably the
(02:14):
biggest thing uh that we see.
Uh so really you have a a dutyto say if you get something that
is that looks like CUI, and youhave a duty to say, hey, Mr.
Contracting Officer or Mrs.
Contracting Officer, thisdocument you sent or this email
you sent uh sure looks like CUI.
Uh is this is this in fact CUIor is it not?
So uh they should be able toanswer and say, you know, no,
(02:37):
it's not, or yes, it is, andfrom there you can say, well,
it's not marked.
Uh can you mark it properly?
And so they should mark it andsend it back.
Probably the next biggestbiggest thing would be uh just
storing all your CUI witheverything else, right?
On your on your network, inyour environment, in your if you
have an enclave, if you have aCUI enclave, you're probably
(02:58):
already aware and splitting itout.
Um but CUI access needs to belimited to those who who uh
should have access to that CUI.
In other words, HR shouldn'thave it, probably.
I don't see why they would, butdepending on and if your HR
person is also a uh machinist,then you know maybe so.
(03:20):
But uh or you know, if your HRdoes other things, uh maybe they
do.
But it depends on how big yourorganization is or or rather how
small it is.
Uh, you know, accountingprobably shouldn't have it.
Uh if there's somebody thatonly works on commercial
projects and has nothing to dowith the Department of Defense
projects, they should be scopedout.
They should not be have accessto that.
So having access to uh CUI onpersonal devices, so you have a
(03:45):
phone, uh you have email on it,and maybe you have uh access to
OneDriver SharePoint, and and uhlo and behold, you can get it
all get to all that CUI on yourmobile device, and nobody ever
thinks about the phones, thecell phones.
Uh, you know, so they uh theyjust don't even think those,
they don't scope those in, anduh lo and behold, a lot of those
have access to that CUI.
(04:05):
And so if they they haveaccess, if you're not gonna
scope out those phones, thenthey have to be they have to be
controlled.
They have to meet the all theapplicable 110 controls and 320
assessment objectives.
Uh so that's another really bigone.
Making sure that uh f flow downoccurs.
So not only in yourorganization, but if you
(04:27):
subcontract out uh somesomething, you know, most people
subcontract out something.
They don't do everything justlike Lockheed and Raytheon and
all them subcontract, they, youknow, you'll you'll probably
subcontract out some pieces too.
And uh anything that is CUIthat is subcontracted out, they
have to be the same level asyou're supposed to be.
(04:50):
So uh and the flow down rulesays that you're supposed to
make sure that they're thatthey're the same level as you.
That doesn't mean you have togo assess their environment.
Uh but if you have to have, ifyou're supposed to meet DFARS
252-204-7012, then they do too.
You know, if they have to belevel two certified, or if you'd
(05:13):
have to be level two certified,so they do they.
So there are some caveats tothat.
You know, if you are sure, 100%sure that what you are sending
them is just off-the-shelf stuffand has nothing to do with uh
any CUI and they they don't getanything, any information that
could be even misconstrued asCUI, then that probab that may
(05:35):
be an off-the-shelf item andthey may not have to be.
But you're gonna have to makesure that you that's documented
and if it's part of thatproject, you're gonna have to
make sure that you know anddocument that.
So those are the biggest thingsthat uh that we see with uh
mishandling CUI.
Stacey (05:49):
Now that we've covered those big mistakes, what happens
if a contractor mishandled CUI?
Brooke (05:55):
Well, there's a mil about a million things that can
happen, but uh you know, one ofthe things that can happen is if
uh you send it through emailand and uh somebody's email is
compromised, then you know thatthat becomes a really big deal.
You know, there's uh there'llbe a cyber incident opened up,
it'll be investigated, uh thewhole nine yards.
So if it's investigated andsomebody figures out if the
(06:16):
government figures out that uhyou did something wrong, then uh
you very well may be fined.
I mean there's there's finesout there in the millions of
dollars right now uh to uh topeople that have uh two
companies that have uhmishandled this.
You could lose your contract,um you could lose your then the
way you'd lose your contract isthat you uh you may no longer
(06:36):
meet all the 110 controls thatyou said you met.
Uh and uh if that's not thecase, then this and this
contract requires that, then youmay lose that contract, or you
may not be able to get any newcontracts.
Uh you know, whatever the casemay be.
If it's something that theydetermine that you said you were
doing and you're they determinethat you're just plain not
(06:58):
doing it, uh then that is afalse claims act.
And a false claims act, again,there's there's plenty of
examples out there of uh falseclaims act and those are there's
plenty of those that are in themillions of dollars of uh of
fines right now as well.
So there could could bedepending on what it is, there
could be jail time too.
Don't know.
(07:18):
They'd probably have to bepretty serious, I would hope.
Uh but uh but they've theyhaven't ruled that out, so there
could be jail time as well.
If you're trying to getassessed and uh the assessor
discovers through their youknow, examine interview and and
test not quite coveringsomething like you said you
would be, uh like you said youare, uh or maybe you just didn't
(07:40):
say you are and you should be,they it could uh cause you to
fail an assessment as well.
And that's a big deal alsobecause of all the previous
things.
Loss of contract, uh uh loss offuture contracts, etc.
Stacey (07:54):
When a contractor goes through a CMMC level two
assessment, how do assessorscheck CUI handling?
Brooke (08:00):
The basic method is they'll examine, interview, uh,
and or test.
So they don't necessarily haveto do all three of these things
for each control or each uhassessment objective, but they
have all three of thoseavailable to them.
Sometimes it doesn't make senseto do all three uh or one of
them or something like that.
But uh they do have those uhthree options.
So examine, they'll examineyour policies, your plans, and
(08:22):
your procedures, uh, they'llexamine your proof, you know,
any list or anything that youhave, they'll examine all that,
test MFA is required to accessyour uh, for instance, MFA is
required to access your CUI,then they'll say, hey, log on
and let me see that you in factdo have MFA turned on.
You'll log in, you'll do yourMFA, and they'll go, Great,
(08:43):
thank you very much.
Uh interview.
Uh they they'll interview you,they'll interview your staff.
Uh there won't be any surpriseshere.
They'll they'll work all thisout with you ahead of time.
You know, uh you'll say, Here'smy scope, here's my initial set
of documentation for you, uh,and the people that are in
scope, and they'll say, Allright, well, we want to talk to
(09:04):
uh A, B, C, D, and E, right?
And so uh you'll know that,you'll approve that, or you can
say, Hey, well Johnny's gonna beout on vacation for the next
two months or whatever it mightbe, and uh and so they'll choose
somebody else.
So uh but you'll work all thatout ahead of time, and there's
no sub shouldn't be anysurprises about any of that.
But that's how they determinewhether you're uh how you're
(09:26):
handling CUI and whether you'remishandling handling it or not.
Stacey (09:30):
Let's talk solutions.
What are some of the low-cost,practical, best practices small
contractors can use to handleCUI the right way?
Brooke (09:40):
Sure.
Uh so um probably one of thebest things you can do, if you
can do it, not everybody can,but is to create a CUI enclave.
And we've talked about aboutthat ad nauseum.
And I'm I'm if you look for youknow how to implement a CMMC
somewhere, there'll be somethingabout uh a CUI enclave.
(10:00):
So sometimes it makes sense,sometimes it doesn't.
Uh some sort of CUI enclavemakes sense, whether it's you
know, really small uh orincorporates everybody.
If it incorporates everybody,that's more likely to be a uh
small uh company.
Um where you know people wear alot of hats.
(10:21):
Uh if you're in a largercompany, it's a lot easier to
separate out those jobs that arein it.
Well, it's more easy it's moreeasy to separate those jobs out
that are CUI versus the onesthat are not.
So it's easier to do that.
Uh but it also depends on howmuch of your business is is DOD
work and see and include CUI.
Uh so creating an enclave isprobably the the easiest single
(10:46):
thing to do to minimize cost.
Kind of on the enclave uhsoapbox, there's a million
different ways to do that.
If you can uh but there arethere are some better ways to um
uh to implement that that are alittle lower cost than others.
Um we'll just I'll go ahead andsay it Provela is one of those.
(11:08):
It may or may not fit you.
You need to make sure you lookinto it and understand it and
see if it it'll work for you ornot.
But uh that's a lower costsolution that may work for for
you for CUI, uh CUI Enclave.
Uh limiting access, whetherit's through uh an enclave tool
like that or um or just a uhserver uh uh on site, then uh
(11:34):
make sure you limit accessappropriately and and uh again
limit that to only the peoplethat need access.
Uh if you do have a server onsite, you know, s uh a good idea
is to uh separate out uh thedata, uh commercial data from
the DOD data, uh put them on twodifferent virtual servers.
(11:54):
That'd be a really easy thingto do, you know.
Uh sometimes you'll run acrosssome controls that you don't
really want to implement foryour uh commercial data and that
you need to for your CUI data.
And if you split it out, uhvirtual server uh as a virtual
machine is an easy thing tocreate, an easy thing to spool
up.
Um I'd say you you can do thatalso in uh in the cloud as well,
(12:19):
but we're talking about lowercost solutions and the cloud,
although it's uh ongoing thecost is easier to uh handle uh
than a new server or something.
Uh cloud is is not cheaper.
So it's it'll be more expensivein the end.
And then when you documenteverything, uh work very hard to
make sure that you keep uheverything very, very organized.
(12:42):
And it may see counter it mayseem excuse me, it may seem uh
counterintuitive, uh, but reallyuh a GRC tool helps you do
that.
That is another expense.
So uh you have to considerthat, but uh consider the fact
of you know what happens withyour documents.
You always over time you alwayshave document sprawl and uh you
(13:06):
know your folders get put indifferent places, your you know,
your versions of documents growand and you know it gets it
gets hard to handle.
And this when you do all yourdocumentation properly with uh
uh CMMC, it's not gonna just be,you know, 15 documents.
It's it's more likely gonna be,you know, 40 or 50 or more
(13:28):
documents, you know.
Uh so especially when you startadding in all your proof and
everything else, it's gonna be alot more than that.
Uh so uh all that uh that leadsto document sprawl.
Easy way to handle that is in aGRC tool.
And personally, I think in theend, uh it'll up end up saving
you some money or at the veryleast some headache and some
(13:50):
time, which time is money.
So you have to figure that out.
You know, what do you chargeother people for your time and
figure out if it's uh if it'sworth it or not?
So I happen to think it's worthit.
Other people may not, but uh uhthat's my that's my two cents
right there.
Stacey (14:06):
Are there any recent updates or enforcement actions
contractors should have on theirradar?
Brooke (14:11):
There is.
So we talked about it in thelast uh podcast, and I think
that one is up uh and ready toshare.
So yeah, okay, Stacy agrees.
It's Stacy's the one that putit up, so she knows.
Uh so the 48 CFR uh has beenpublished uh and uh so it's it's
live, uh the clock is ticking,uh it goes into effect on
(14:32):
November 10th.
Uh for the 48 CFR again is theone that puts CMMC in effect on
contracts.
Uh so there are four phases tothat.
The first year uh starting onNovember 10th of 2025.
Uh basically what you're doingright now.
Uh you have to self uhself-attest uh that you're doing
(14:54):
what you say you're doing.
Uh poems are limited to 180days, uh, all sorts of fun
stuff, but you have a year to dothat until November 11th, 2026,
uh November 10th, 2026.
And when that will be uh thelevel two certifications will
start being required oncontracts.
Again, there's some caveats tothat.
There may be some uh somerequirements by uh prime
(15:18):
contractors or something for youto get yours earlier.
The government did leave alittle wiggle room for
themselves, they could require alittle earlier on a contract or
two here or there or later.
So uh but bait that's thebasics of that 48 CFR.
So that 48 CFR is a big one.
So the FARCUI rule, I believe,is in the uh proposed stage
(15:39):
still, uh if I recall properly.
Um but it's basically uhthey've always said they wanted
to take this whole CMMC idea anduh get the DOD going on it and
use the DOD as guinea pigs, Iguess, and uh and then roll it
out to the rest of the federalgovernment.
Uh who knows exactly how tolook, but they want to control
(16:00):
that CUI, right?
Um and so uh they're rollingout the CUI rule uh to the rest
of the government, and that thatkind of kicks off the process
of some CMMC like uh rule forthe rest of the federal
government, and that's big umand it'll be a big change.
So we'll see how well thatgoes.
(16:21):
But uh that's that's the bigthing coming.
Stacey (16:24):
If you have any questions about what we covered,
reach out to us.
We're here to fast track yourcompliance journey.
Text, email, or call in yourquestions, and we'll answer them
for free here on the podcast.
You can find our contactinformation at cmc compliance
guide.com.
Stay tuned for our nextepisode.
Until then, stay compliant,stay secure, and make sure to
subscribe.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!